Structure of Cyber Risk Perception Survey Could Distort Findings

The purpose of a new report (PDF ) from cyber insurance firm Marsh, supported by Microsoft's Global Security Strategy and Diplomacy team, is to examine the global state of cyber risk management: "This report provides a lens into the current state of cyber risk management at organizations around the world."

To achieve this, Marsh polled 1,312 senior executives "representing a range of key functions, including information technology, risk management, finance, legal/compliance, senior management, and boards of directors." However, there is no category representing information security, nor any specific indication where a security team fits in the organizational structure.

A reasonable assumption would be cyber security is treated as part of IT, and that if the organization has a CSO or CISO, that position reports directly to the CIO from within the IT structure. That would explain why IT is consistently described as the functional area that is the primary owner and decision-maker for cyber risk management in all companies across all sectors with revenue above $10 million per annum.

But it doesn't reflect reality. While the majority of CISOs might still report to the CIO, this is slowly changing. Some now report directly to the board while others report to the Chief Risk Officer (CRO) or Legal.

Furthermore, the cyber security function is key to the specification and implementation of any cyber risk mitigation policy (where 'mitigation' equates to risk reduction as opposed to other methods such as risk transfer, which equates to insurance). Human Resources (30 respondents) can help with insider risk definition and response. Procurement can help with security product purchasing (14 respondents). Finance (340 polled) can help with budget planning and financial compliance issues. But none of these will see the full cyber risk threat. While all of these should be involved in cyber risk management, only a dedicated security team is in a position to define and lead it -- and yet there is no cyber security function included in the report.

The decision not to give cyber security its own role, if not the primary role, within the survey has the potential to distort the findings. For example, 41% of the respondents are concerned about financially motivated attacks (which in this survey includes hacktivists), while only 6% are most concerned about politically motivated attacks including state-sponsored attacks.

The question asked was 'With regard to a cyber-attack that delivers destructive malware, which threat actor concerns you the most?" Options on offer included 'Operational error' and 'Human error, such as employee loss of mobile device'; neither of which are commonly associated with the delivery of destructive malware. It is not clear that heads of individual departments would have the nuanced understanding of different cyber threat vectors to provide an accurate view of overall cyber risk.

Another example can be found in the section on reporting. The report states, "53% of chief information security officers, 47% of chief risk officers, and 38% of chief technology/information officers said they provide reports to board members on cyber investment initiatives. Yet only 18% of board members said they receive such information." There is clearly a disconnect between reporting and listening -- and few people in the security industry would question that there is a security information communications problem.

This is the one occurrence of the title 'CISO' in the entire report -- but notice a higher percentage of cyber security officers report on cyber investments than do the IT officers. The implication is that if Security had been separated out from IT, then IT would not so consistently be seen as the primary decision-maker for cyber risk management -- something that most security practitioners might consider worrying given the non-cyber-risk and potentially conflicting business pressures already affecting IT.

This lack of distinction between IT and Security also misses a useful opportunity. The figures show that more reports are delivered by CISOs (percentage-wise) than by CIOs and CTOs. For several years now, CISOs have been on a campaign to improve their own and their security staff's 'soft skills'. Indeed, NIST's National Initiative for Cybersecurity Education (NICE) is this week running a webinar titled, 'Development of Soft Skills That Are in Demand by Cybersecurity Employers'.

NICE states that for cybersecurity employers, "soft skills such as effective communication, problem-solving, creative thinking, resourcefulness, acting as a team player, and flexibility are among the most desirable attributes they are looking for in a new hire." It would be useful if Marsh's figures could show the comparative effectiveness of cyber risk reporting coming from CISOs and CIOs.

Nevertheless, there is useful data and advice within the report. It shows that the majority of companies do not have a method of expressing risk quantitatively (that is, in economic terms). Those that do express their risk tend to do so qualitatively (that is, with capability maturity levels). But understanding the economic effect of different cyber events is essential for both risk mitigation and/or risk transfer. It helps the security team to understand where to concentrate both effort and budget; and it is essential for insurance companies to set realistic insurance premiums.

The figures show that just over half of organizations either have (34%) or plan to buy (22%) cyber insurance. The remainder either have no plans, or specifically plan not to buy insurance -- but a small number (less than 1%) have dropped existing insurance. The primary reason cited for dropping insurance is, "Cyber insurance does not provide adequate coverage for the cost."

The implication is that cyber insurance companies (which include Marsh) have a large potential market Cyber Insurance Market to Top $14 Billion by 2022: Report , but have not yet succeeded in fully making their case. This report does not help by largely ignoring companies' existing cyber risk mitigation specialists.

By not differentiating between the responding company's security function and its IT function, security-specific mitigation is diluted. When SecurityWeek asked Marsh why it hadn't separated the two, Marsh responded, "Don't know exactly what you mean by 'cyber security function' -- a CISO??"

The 'cyber security function' is the work performed by the security team under a variously titled head of cyber security. Although IT and Security must necessarily work together, they have different functions and different priorities, and therefore deserve to be treated separately.

Marsh provided SecurityWeek with a detailed breakdown of the respondents' job functions, answered under the question: "Which functional area most closely describes your position?" The available options were Finance, Risk management, Information technology, Board of directors, Operations, Legal/Compliance/Audit, Human resources, Procurement, and Other. 'Cyber Security' was not an option.

It is the security function that best understands and is most engaged in active risk mitigation. By concentrating the survey on general business leaders with little understanding of, or direct involvement in, cyber risk mitigation, the results inevitably favor the primary alternative; that is 'risk transfer'. Risk transfer is cyber insurance; which is what Marsh provides.

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.